[dm-crypt] verity setup on active device.

[dm-crypt] verity setup on active device.

[Shiva]

Hello,

I have a requirement.

I have two devices . (/dev/sdb) and (/dev/sdc).

I have few files in /dev/sdb1. These files are created via nfs.

Now I want to use verity setup tool.

It needs to be able to perform the integrity check on /dev/sdb.

I wanted to  perform integrity check for a partition which is mounted.

1. I did the following.Installed the dm-verity from source.

2. My nfs-share was initially mounted .

(mount /dev/sdb1 /nfs-share)

3.I unmounted it.

4. veritysetup --debug format /dev/sdb /dev/sdc.
Got the "root hash".

5.Used the root hash in this command.
veritysetup --debug create nfs /dev/sdb /dev/sdc "root hash"

Everything works well.
My problem is I am not able to perform step5 for a mounted partition.

I require a mounted partition since nfs-share will use this partition.
(For addition and deletion)

Is there a command switch that needs to be performed in order to achieve this?

Any help/direction is greatly appreciated.

Re: [dm-crypt] verity setup on active device.

[Milan Broz]

On 04/04/2014 11:34 PM, Shiva wrote:
...
> 5.Used the root hash in this command.
> veritysetup --debug create nfs /dev/sdb /dev/sdc "root hash"
> 
> Everything works well.
> My problem is I am not able to perform step5 for a mounted partition.
> 
> I require a mounted partition since nfs-share will use this partition.
> (For addition and deletion)
> 
> Is there a command switch that needs to be performed in order to achieve this?

I am afraid this is not possible. Dm-verity was designed to provide
verification of (read-only) device (to provide verified boot path),
all IOs must go through dm-verity.
(So it must be in the stack from the beginning).

You cannot just add it later or run it parallel with mounted partition.
And how this can work if some data are already in page/fs cache?

Milan

Re: [dm-crypt] verity setup on active device.

[Shivaramakrishnan Vaidyanathan]

[-- Attachment #1: Type: text/plain, Size: 1974 bytes --]

Thanks Milan for your reply.
I have few questions is this regard.I am ready to perform the offline
integrity check.I can have the image files in the nfs-share archived live
to another partition that is not mounted.Will I be able to perform the
integrity check at the block level in this case?Each time virtual machine
boots up,I need to be able to verify if the image was the same as previous
boot.
Is this achievable?

Will these steps work?
1. Image file (VM1 - Virtual hard disk file mounted in nfs share
partition).
2.I rsync the directory of nfs-share to another partition.
3.Then whether I will be able to tell whether the virtual image file has
been altered/changed from the previous boot?

Can you please provide some details in regard to the implementations
required in this case?

If you know any other alternatives,It would be great if you could share
it.Also I dont get the notion "Dm-verity was designed to provide verification
of (read-only) device (to provide verified boot path), all IOs must go
through dm-verity."

So what does this mean?


On Sat, Apr 5, 2014 at 2:39 PM, Milan Broz <gmazyland@gmail.com> wrote:

> On 04/04/2014 11:34 PM, Shiva wrote:
> ...
> > 5.Used the root hash in this command.
> > veritysetup --debug create nfs /dev/sdb /dev/sdc "root hash"
> >
> > Everything works well.
> > My problem is I am not able to perform step5 for a mounted partition.
> >
> > I require a mounted partition since nfs-share will use this partition.
> > (For addition and deletion)
> >
> > Is there a command switch that needs to be performed in order to achieve
> this?
>
> I am afraid this is not possible. Dm-verity was designed to provide
> verification of (read-only) device (to provide verified boot path),
> all IOs must go through dm-verity.
> (So it must be in the stack from the beginning).
>
> You cannot just add it later or run it parallel with mounted partition.
> And how this can work if some data are already in page/fs cache?
>
> Milan
>

[-- Attachment #2: Type: text/html, Size: 2928 bytes --]

Re: [dm-crypt] verity setup on active device.

[Shivaramakrishnan Vaidyanathan]

[-- Attachment #1: Type: text/plain, Size: 2689 bytes --]

Also,
http://lwn.net/Articles/533558/ tells that
 "The key advantage over dm-verity is that the target supports read-write
and requires less hash calculation operations.Device-mapper "integrity"
target provides transparent cryptographic integrity protection of
underlying read-write block device using hash-based message authentication
codes (HMACs), which can be stored on the same or different block device."

I dont understand or get the main purpose of this tool. Could you please
explain in a bit more elaborate way.Thanks



On Sat, Apr 5, 2014 at 6:11 PM, Shivaramakrishnan Vaidyanathan <
shivaramakrishnan740@gmail.com> wrote:

> Thanks Milan for your reply.
> I have few questions is this regard.I am ready to perform the offline
> integrity check.I can have the image files in the nfs-share archived live
> to another partition that is not mounted.Will I be able to perform the
> integrity check at the block level in this case?Each time virtual machine
> boots up,I need to be able to verify if the image was the same as previous
> boot.
> Is this achievable?
>
> Will these steps work?
> 1. Image file (VM1 - Virtual hard disk file mounted in nfs share
> partition).
> 2.I rsync the directory of nfs-share to another partition.
> 3.Then whether I will be able to tell whether the virtual image file has
> been altered/changed from the previous boot?
>
> Can you please provide some details in regard to the implementations
> required in this case?
>
> If you know any other alternatives,It would be great if you could share
> it.Also I dont get the notion "Dm-verity was designed to provide verification
> of (read-only) device (to provide verified boot path), all IOs must go
> through dm-verity."
>
> So what does this mean?
>
>
> On Sat, Apr 5, 2014 at 2:39 PM, Milan Broz <gmazyland@gmail.com> wrote:
>
>> On 04/04/2014 11:34 PM, Shiva wrote:
>> ...
>> > 5.Used the root hash in this command.
>> > veritysetup --debug create nfs /dev/sdb /dev/sdc "root hash"
>> >
>> > Everything works well.
>> > My problem is I am not able to perform step5 for a mounted partition.
>> >
>> > I require a mounted partition since nfs-share will use this partition.
>> > (For addition and deletion)
>> >
>> > Is there a command switch that needs to be performed in order to
>> achieve this?
>>
>> I am afraid this is not possible. Dm-verity was designed to provide
>> verification of (read-only) device (to provide verified boot path),
>> all IOs must go through dm-verity.
>> (So it must be in the stack from the beginning).
>>
>> You cannot just add it later or run it parallel with mounted partition.
>> And how this can work if some data are already in page/fs cache?
>>
>> Milan
>>
>
>

[-- Attachment #2: Type: text/html, Size: 4388 bytes --]

Re: [dm-crypt] verity setup on active device.

[Milan Broz]

On 04/06/2014 12:11 AM, Shivaramakrishnan Vaidyanathan wrote:
> I have few questions is this regard.I am ready to perform the offline
> integrity check.I can have the image files in the nfs-share archived
> live to another partition that is not mounted.Will I be able to
> perform the integrity check at the block level in this case?Each time
> virtual machine boots up,I need to be able to verify if the image was
> the same as previous boot.> Is this achievable?
> 
> Will these steps work?
> 1. Image file (VM1 - Virtual hard disk file mounted in nfs share partition). 
> 2.I rsync the directory of nfs-share to another partition.
> 3.Then whether I will be able to tell whether the virtual image file has been altered/changed from the previous boot?

I am not sure if I understand what you are trying to do here but if it
is file image (full device image shared on nfs) why not use simple gpg
file signature and verify it before the VM boot?

...
 
> Also I dont get the notion "Dm-verity was designed to provide verification of (read-only) device (to provide verified boot path), all IOs must go through dm-verity."

The dm-verity was designed for ChromeOS for verified boot, IOW it verifies
blocks on underlying block device on-the-fly (when system reads them through
verity mapped device).
This means, that the dm-verity must be underlying device for all read
operations (to allow it stop reads once it detect wrong hash).

I know documentation is terse but at least something is here
http://code.google.com/p/cryptsetup/wiki/DMVerity (see Theory of operation).

Milan

Re: [dm-crypt] verity setup on active device.

[Milan Broz]

On 04/06/2014 12:26 AM, Shivaramakrishnan Vaidyanathan wrote:
> Also,
> http://lwn.net/Articles/533558/ tells that
>  "The key advantage over dm-verity is that the target supports read-write and requires less hash calculation operations.Device-mapper "integrity" target provides transparent cryptographic integrity protection of underlying read-write block device using hash-based message authentication codes (HMACs), which can be stored on the same or different block device."
> 
> I dont understand or get the main purpose of this tool. Could you please explain in a bit more elaborate way.Thanks

DM-integrity is completely different tool, I just know it was
proposed on dm-devel but never merged to mainline.

The main difference from dm-verity is obviously it provides read-write
functionality.

Please read dmdevel archive and use Google, there is nice presentation
by author of dm-integrity on LinuxCon Europe (2013)
"Integrity protection solutions in Linux" which shortly mentions both
verity and integrity targets.

(And it is big question if this integrity checking should be on block or filesystem level.)

Milan

Re: [dm-crypt] verity setup on active device.

[Shivaramakrishnan Vaidyanathan]

[-- Attachment #1: Type: text/plain, Size: 1496 bytes --]

I don't see the downloadable version for dm-integrity .Is there a link to
it.I see just dm-verity
https://code.google.com/p/cryptsetup/w/list?can=2&q=dm-integrity&colspec=PageName+Summary+Changed+ChangedBy

Can you please let me know the link?


On Sun, Apr 6, 2014 at 3:53 AM, Milan Broz <gmazyland@gmail.com> wrote:

> On 04/06/2014 12:26 AM, Shivaramakrishnan Vaidyanathan wrote:
> > Also,
> > http://lwn.net/Articles/533558/ tells that
> >  "The key advantage over dm-verity is that the target supports
> read-write and requires less hash calculation operations.Device-mapper
> "integrity" target provides transparent cryptographic integrity protection
> of underlying read-write block device using hash-based message
> authentication codes (HMACs), which can be stored on the same or different
> block device."
> >
> > I dont understand or get the main purpose of this tool. Could you please
> explain in a bit more elaborate way.Thanks
>
> DM-integrity is completely different tool, I just know it was
> proposed on dm-devel but never merged to mainline.
>
> The main difference from dm-verity is obviously it provides read-write
> functionality.
>
> Please read dmdevel archive and use Google, there is nice presentation
> by author of dm-integrity on LinuxCon Europe (2013)
> "Integrity protection solutions in Linux" which shortly mentions both
> verity and integrity targets.
>
> (And it is big question if this integrity checking should be on block or
> filesystem level.)
>
> Milan
>

[-- Attachment #2: Type: text/html, Size: 2216 bytes --]

Re: [dm-crypt] verity setup on active device.

[Shivaramakrishnan Vaidyanathan]

[-- Attachment #1: Type: text/plain, Size: 2259 bytes --]

I had a question here..So if I sign a image file for a virtual machine
using the command,How do I verify that image file has not changed?
gpg --output web-test.img.sig --sign web-test.img

Executing the above gives me a "web-test.img.sig" file.Whether verifying
this would be sufficient?

gpg --verify web-test.img.sig

gpg: Signature made Sun 06 Apr 2014 09:57:16 PM EDT using RSA key ID
3D3AC480

gpg: Good signature from "shiva (test) <abc.@outlook.com>


Should I boot the image now using the .sig file?Looking forward to your
reply.





On Sun, Apr 6, 2014 at 3:44 AM, Milan Broz <gmazyland@gmail.com> wrote:

> On 04/06/2014 12:11 AM, Shivaramakrishnan Vaidyanathan wrote:
> > I have few questions is this regard.I am ready to perform the offline
> > integrity check.I can have the image files in the nfs-share archived
> > live to another partition that is not mounted.Will I be able to
> > perform the integrity check at the block level in this case?Each time
> > virtual machine boots up,I need to be able to verify if the image was
> > the same as previous boot.> Is this achievable?
> >
> > Will these steps work?
> > 1. Image file (VM1 - Virtual hard disk file mounted in nfs share
> partition).
> > 2.I rsync the directory of nfs-share to another partition.
> > 3.Then whether I will be able to tell whether the virtual image file has
> been altered/changed from the previous boot?
>
> I am not sure if I understand what you are trying to do here but if it
> is file image (full device image shared on nfs) why not use simple gpg
> file signature and verify it before the VM boot?
>
> ...
>
> > Also I dont get the notion "Dm-verity was designed to provide
> verification of (read-only) device (to provide verified boot path), all IOs
> must go through dm-verity."
>
> The dm-verity was designed for ChromeOS for verified boot, IOW it verifies
> blocks on underlying block device on-the-fly (when system reads them
> through
> verity mapped device).
> This means, that the dm-verity must be underlying device for all read
> operations (to allow it stop reads once it detect wrong hash).
>
> I know documentation is terse but at least something is here
> http://code.google.com/p/cryptsetup/wiki/DMVerity (see Theory of
> operation).
>
> Milan
>

[-- Attachment #2: Type: text/html, Size: 3174 bytes --]